Simple Server Security Configuration

After testing, the configuration in Win2003 + IIS6.0 + Serv-U + SQL Server is normal on a single Server with multiple websites. The recommended configurations are checked in the following configuration, and the optional configuration is used for cross-cutting.

1. system permission settings

1, Disk Permissions

The SYSTEM disk only grants full control permissions to the Administrators group and SYSTEM.

Other disks only have full permission to the Administrators group.

The SYSTEM disk \ Documents ents and Settings directory only gives full control permissions to the Administrators group and SYSTEM.

The SYSTEM disk \ Documents ents and Settings \ All Users directory only gives full control permissions to the Administrators group and SYSTEM.

System Disk \ windows \ system32 \ config \ disable guests Group

System Disk \ Documents ents and Settings \ All Users \ Start Menu \ Program \ disable guests Group

System Disk \ windowns \ system32 \ inetsrv \ data \ disable guests Group

The SYSTEM disk \ Windows \ System32 \ at.exe、attrib.exe、cacls.exe?net.exe=net1.exe=netstat.exe=regedit.exe file only grants full control permissions to the Administrators group and SYSTEM.

System Disk \ Windows \ System32 \ cmd.exe, format.com, only the permissions of the Administrators group are fully controlled.

Rename all (Windows \ system32 and Windows \ ServicePackFiles \ i386) format.com to format_nowayh.com

2Local Security Policy Settings

Choose Start> Administrative Tools> Local Security Policy

ALocal Policies->Audit Policy

Audit Policy Change failed

Login event review successful failed

An error occurred while accessing the Audit object.

Audit Process Tracking not reviewed

Failed to Audit Directory Service Access

Failed to Audit privilege usage

System Event Review successful failed

Account Logon review successful failed

An error occurred while reviewing account management

BLocal Policies->User permission allocation

Shut down the system: only the Administrators group and all others are deleted.

Refuse to log on through the terminal service: Join the Guests group

Allow logon through Terminal Services: add to the Administrators and Remote Desktop Users Groups, and delete all others

CLocal Policies->Security Options

Interactive login: do not display the Last User Name Enabled

Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration

Network Access: do not enable the storage credential for network Identity Authentication

Network Access: All Shares that can be accessed anonymously are deleted.

Network Access: delete all anonymous access attempts

Network Access: delete all registry paths that can be remotely accessed

Network Access: delete all registry paths and sub-paths that can be remotely accessed.

Account: Rename Guest Account Rename an account

Account: rename a System Administrator Account Rename an account

D, Account Policy->Account lock Policy

Set the account to "5 logon failures", "lock time to 30 minutes", and "Reset lock count to 30 minutes"

Ii. Other configurations

√ ·SetAdministratorAccount change

Management tools → local security policies → Local Policies → Security Options

√ ·Create a new fake account without any PermissionsAdministratorAccount

Management tools → Computer Management → System Tools → local users and groups → users

Change Description: used to manage the built-in account for a computer (domain)

× ·RenameIISGuest Account

1. Management Tools → Computer Management → System Tools → local users and groups → users → rename IUSR_ComputerName

2. Open IIS manager → local computer → properties → allow direct editing of the configuration database

3. Go to the Windows \ system32 \ inetsrv folder → MetaBase. xml → right-click and edit → find "AnonymousUserName" → write "IUSR _" new name → save

4. Disable "allow direct configuration database editing"

√ ·Disable file sharing

Local Connection Properties → remove "Microsoft network file and print sharing" and "√" before "Microsoft network client"

√ ·DisableNetBIOS(Close139Port)

Local Connection Properties → TCP/IP properties → advanced → WINS → disable NetBIOS on TCP/IP

Management tools → Computer Management → Device Manager → view → display hidden devices → plug-and-play drivers → disable NetBios over tcpip → restart

√ ·Firewall settings

Local Connection Properties → advanced → Windows Firewall settings → advanced → first "settings", select ftp, HTTP, and Remote Desktop Services

√ ·DisableADMIN $Default sharing, default disk sharing, and restrictionsIPC $Default sharing (anonymous users cannot list local users or prohibit empty connections)

Create a REG file and import the Registry

Windows Registry Editor Version 5.00 [HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters] "Autoscaling wks" = dword: 00000000 "AutoShareServer" = dword: 00000000 [HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] "Restrictanonymous" = dword: 00000001

√ Delete the following registry primary keys

WScript. Network WScript. Network.1 {093FF999-1EA0-4079-9525-9614C3504B74} WScript. Shell WScript. Shell.1 {72c24dd5-d70a-438b-8a42-98108b88afb8} Shell. Application Shell. Application.1 {13709620-C279-11CE-A49E-444553540000}

√ ·Change3389The port is12344

This article only describes how to change the port. Since this port has been published, we will not use it. The port can be converted to hexadecimal using the calculator provided by windows, in hexadecimal notation, replace the following two Dwords: The values following the dword (7 digits, if not enough, fill 0 in the front). During login, the dword is in hexadecimal notation, the port change takes effect after the server is restarted. Create a REG file and import the Registry

Windows Registry Editor Version 5.00 [HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp] "PortNumber" = dword: 0003038 [HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp] "PortNumber" = dword: 00003038

Do not forget to allow port 12344 and disable port 3389 in Windows Firewall.

√ ·Disable non-Administrator useAtCommand to createREGFile, import the Registry

Windows Registry Editor Version 5.00 [HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] "SubmitControl" = dword: 00000001

√ ·Unmount the most insecure Components

Run "Uninstall the most insecure component. bat". After restart, rename or delete wshom. ocx and shell32.dll in Windows \ System32 \.

------ Uninstall the most insecure component. bat ------ Regsvr32/u % SystemRoot % \ System32 \ wshom. ocx Regsvr32/u % SystemRoot % \ System32 \ shell32.dll Regsvr32/u % SystemRoot % \ System32 \ wshext. dll -------------------

√ ·WindowsLog Movement

Open "HKEY_LOcaL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog \"

Application subitem: Application logs

Security subitem: Security Log

System subitem: System logs

Change the File key values of the sub-item, copy AppEvent. Evt, SecEvent. Evt, and SysEvent. Evt under the System32 \ config directory to the target folder, and restart the system.

√ ·WindowsLog Protection

1. Move the folder after the log to Properties> Security> advanced> remove "allow the parent privilege to be inherited ......" → Copy → OK

2. The System account and User group are retained. The System account retains all permissions except for full control and modification. The User group only retains read-only permissions.

3. AppEvent. Evt and SysEvent. Evt retain the Administrator, System, and User groups. The Administrator and System accounts retain the permissions except for full control and modification, and the User group only retains the read-only permissions;

DnsEvent. Evt and SecEvent. Evt retain the System account and User group. The System account retains the permissions except for full control and modification, and the User group only retains the read-only permissions.

√ ·To manually stop/Disabled Services:Computer Browser, Error reporting service, Microsoft Serch, Print Spooler, Remote Registry, Server, TCP/IP NetBIOS Helper, Workstation

√ ·SolutionIn IIS 6.0Cannot download more4 M(Now changed10 M)

Stop IIS service → open WINDOWS \ system32 \ inetsrv \ → open MetaBase. xml in Notepad → find the aspBufferingLimit entry → change the value to 10485760

√ ·SetWebThe maximum value for uploading a single file is10 MB

Stop IIS service → open WINDOWS \ system32 \ inetsrv \ → open MetaBase. xml in Notepad → find the aspMaxRequestEntityAllowed item → change the value to 10485760

× ·Locate and setIISLog File Permissions

1. Move the IIS log file location to a non-system partition: create a folder in a non-system NTFS partition → open IIS manager → right-click website → properties → click "Enable Logging" in the Framework → change to the folder you just created

2. Set IIS log file permissions: browse to the folder where the log file is located → properties → Security → ensure that the permissions of Administrators and systems are set to "full control"

× ·ConfigurationIISMetabase permission

Open Windows \ System32 \ Inetsrv \ MetaBase. xml file → properties → Security → confirm that only Members in the Administrators group and the LocalSystem account have full control access to the metabase, and delete all other files → OK

ExplanationWebContent permission

Open IIS manager → right-click the folder, website, directory, virtual directory, or file of the website you want to configure

Script source file access, users can access the source file. If you select "read", you can read the source file. If you select "write", you can write the source file. Script source access includes the source code of the script. This option is unavailable if neither "read" nor "write" is selected.

Read (selected by default): You can view the content and attributes of a directory or file.

Write: You can change the content and attributes of directories or files.

Directory browsing: You can view the file list and collection.

Log Access: Create a log entry for each access to the website.

Search Resource: allows the search service to retrieve this resource. This allows you to search for resources.

√ ·Disable automatic playback

Run Group Policy Editor (gpedit. msc) → Computer Configuration → manage template → system → disable automatic playback → properties → enabled → All Drives

√ ·DisableDCOM

Run dcomcnfg.exe. Console Root Node → component service → computer → right-click my computer → properties → default properties → clear the Enable Distributed COM on this computer check box.

√ ·Enable parent path

IIS manager → right-click website → properties → home directory → configuration → options → enable parent path

√ ·In IIS 6.0The system does not have any action timeout and script timeout.

IIS manager → right-click website → properties → home directory → configuration → options → changed to 40 minutes and 180 seconds respectively

√ ·Delete unnecessaryIISExtension ing

Struct,. shtm,. stm

√ ·AddIISPairMIMEFile Type Support

IIS manager → Select Server → right-click → properties → MIME type (or right-click web site → properties → HTTP header → MIME type → new) Add the following table content, then restart IIS, the extension MIME type

. Iso application/octet-stream . Rmvb application/vnd. rn-realmedia

√ ·DisableDump fileGeneration

My computer → right-click → properties → advanced → start and fault recovery → write debugging information → none.

Dump files are useful in searching for problems when the system crashes and the blue screen (or I will translate them into junk files literally ). However, it can also provide some sensitive information to hackers, such as the passwords of some applications.

III,Serv-U ftpService settings

√ · Local server → settings → intercept "ftp_bounce" attacks and FXP

User interception for over 10 connections within 60 seconds for 5 minutes

√ · Local server → domain → user → select the account to be set → "the same IP address allows only two logins" on the right"

√ · Local server → domain → settings → advanced → cancel "allow the MDTM command to change the file date/time"

Set the ACL for the folder where the Serv-U program is located. The Administrator Group is fully controlled and the Guests group and IIS Anonymous users are not allowed to read.

Server Message, changed from top to bottom:

The server is working properly and is now ready... Error! Contact the administrator! The ftp server is being maintained offline. Please try again later! Ftp Server failure. Please try again later! The current account has reached the maximum number of user quotas. Please try again later! Sorry, the server does not allow anonymous access! You have uploaded too few things. please upload more things before trying to download them!

IV,SQLSecurity Settings

Review pointSQL ServerConnection

Enterprise Manager → expand server group → right-click → properties → Security → failed

ModifySaAccount Password

Enterprise Manager → expand server group → Security → login → double-click sa account

SQLQuery Analyzer

Use master Exec sp_dropextendedproc xp_cmdshell Exec sp_dropextendedproc xp_dirtree Exec sp_dropextendedproc xp_enumgroups Exec sp_dropextendedproc xp_fixeddrives Exec sp_dropextendedproc xp_loginconfig Exec sp_dropextendedproc xp_enumerrorlogs Exec sp_dropextendedproc xp_getfiledetails Exec sp_dropextendedproc Sp_OACreate Exec sp_dropextendedproc Sp_OADestroy Exec sp_dropextendedproc Sp_OAGetErrorInfo Exec sp_dropextendedproc Sp_OAGetProperty Exec sp_dropextendedproc Sp_OAMethod Exec sp_dropextendedproc Sp_OASetProperty Exec sp_dropextendedproc Sp_OAStop Exec sp_dropextendedproc Xp_regaddmultistring Exec sp_dropextendedproc Xp_regdeletekey Exec sp_dropextendedproc Xp_regdeletevalue Exec sp_dropextendedproc Xp_regenumvalues Exec sp_dropextendedproc Xp_regread Exec sp_dropextendedproc Xp_regremovemultistring Exec sp_dropextendedproc Xp_regwrite Drop procedure sp_makewebtask

 

91ri.org comment: This article describes a simple server security configuration. If you configure the server security according to this configuration, you canPartially protects against some hacker attacksTo ensure server security, install professionalServerAnti-virus software and firewall, often patching and configuring permission settings for each website.